The cross-site scripting flaw could be used “to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only)”, Adobe explained in its security bulletin.
The other six vulnerabilities could be used to crash systems as well as to take control of them, although Adobe has not seen any attacks in the wild targeting these other flaws.
Vulnerable products include Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux, and Solaris; Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x; and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x.
Adobe acknowledged the assistance of Google in finding and patching the zero-day vulnerability, as well as the help of Xu Liu of Fortinet's FortiGuard Labs, Bo Qu of Palo Alto Networks, Alexander Gavrun through TippingPoint's Zero Day Initiative, and Eduardo Vela Nava of the Google Security Team with the other vulnerabilities.